]> xenbits.xensource.com Git - xen.git/commit
projects / xen.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 672b26b) | patch
x86/HVM: clear upper halves of GPRs upon entry from 32-bit code
authorJan Beulich <jbeulich@suse.com>
Wed, 27 Mar 2024 17:31:38 +0000 (17:31 +0000)
committerAndrew Cooper <andrew.cooper3@citrix.com>
Tue, 9 Apr 2024 11:49:40 +0000 (12:49 +0100)
commit6a98383b0877bb66ebfe189da43bf81abe3d7909
tree534a9803d956d895b109e60091457a494b026763tree
parent672b26b66ebb5ff3d28c573a6545a08020b27495commit | diff
x86/HVM: clear upper halves of GPRs upon entry from 32-bit code

Hypercalls in particular can be the subject of continuations, and logic
there checks updated state against incoming register values. If the
guest manufactured a suitable argument register with a non-zero upper
half before entering compatibility mode and issuing a hypercall from
there, checks in hypercall_xlat_continuation() might trip.

Since for HVM we want to also be sure to not hit a corner case in the
emulator, initiate the clipping right from the top of
{svm,vmx}_vmexit_handler(). Also rename the invoked function, as it no
longer does only invalidation of fields.

Note that architecturally the upper halves of registers are undefined
after a switch between compatibility and 64-bit mode (either direction).
Hence once having entered compatibility mode, the guest can't assume
the upper half of any register to retain its value.

This is part of XSA-454 / CVE-2023-46842.

Fixes: b8a7efe8528a ("Enable compatibility mode operation for HYPERVISOR_memory_op")
Reported-by: Manuel Andreas <manuel.andreas@tum.de>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Roger Pau Monné <roger.pau@citrix.com>
xen/arch/x86/hvm/svm/svm.c diff | blob | blame | history
xen/arch/x86/hvm/vmx/vmx.c diff | blob | blame | history
xen/arch/x86/include/asm/hvm/hvm.h diff | blob | blame | history
Xen (staging and unstable) mirror